IETF Logo Mail Archive

Re: [Syslog] -transport-tls-12, section 4.2.3 (fingerprints)

"Rainer Gerhards" <rgerhards@hq.adiscon.com> Thu, 08 May 2008 20:06 UTC

Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 61E3A3A68A4; Thu, 8 May 2008 13:06:59 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 73BC73A6C2F for <syslog@core3.amsl.com>; Thu, 8 May 2008 13:06:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id id2REMbBd2tC for <syslog@core3.amsl.com>; Thu, 8 May 2008 13:06:55 -0700 (PDT)
Received: from mailin.adiscon.com (hetzner.adiscon.com [85.10.198.18]) by core3.amsl.com (Postfix) with ESMTP id 621903A6858 for <syslog@ietf.org>; Thu, 8 May 2008 13:06:55 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailin.adiscon.com (Postfix) with ESMTP id B53947AE1DF; Thu, 8 May 2008 22:03:56 +0200 (CEST)
Received: from mailin.adiscon.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q3TWGNCP8ZjD; Thu, 8 May 2008 22:03:56 +0200 (CEST)
Received: from grfint2.intern.adiscon.com (p50989a7c.dip0.t-ipconnect.de [80.152.154.124]) by mailin.adiscon.com (Postfix) with ESMTP id 7DFB97AE1D7; Thu, 8 May 2008 22:03:56 +0200 (CEST)
Content-class: urn:content-classes:message
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Thu, 08 May 2008 22:06:55 +0200
Message-ID: <577465F99B41C842AAFBE9ED71E70ABA308FAA@grfint2.intern.adiscon.com>
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE505C94F0F@xmb-sjc-225.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: -transport-tls-12, section 4.2.3 (fingerprints)
Thread-Index: AcixDGHYAKW3NlsISKSnpPNfuaTo8wADXRkAAACHySAACqjW8A==
References: <577465F99B41C842AAFBE9ED71E70ABA308FA8@grfint2.intern.adiscon.com> <AC1CFD94F59A264488DC2BEC3E890DE505C94F0F@xmb-sjc-225.amer.cisco.com>
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Cc: syslog@ietf.org
Subject: Re: [Syslog] -transport-tls-12, section 4.2.3 (fingerprints)
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org

> > > -----Original Message-----
> > > From: Rainer Gerhards
> > > Sent: Thursday, May 08, 2008 3:07 PM
> > > To: syslog@ietf.org
> > > Subject: -transport-tls-12, section 4.2.3 (fingerprints)
> > > 
> > > Joe,
> > > 
> > > I am implementing fingerprint authentication. I have some trouble 
> > > understanding this text:
> > > 
> > > ===
> > > Both client and server implementations MUST make the certificate 
> > > fingerprint available through a management interface.  If 
> no other 
> > > certificate is configured, both client and server 
> > implementations MUST 
> > > support generating a key pair and self-signed certificate.
> > > ===
> > > 
> > > Especially the "If no other certificate is configured..." 
> > part puzzles 
> > > me. Does that mean that if no certificate is configured, 
> the syslogd
> > is
> > > responsible for generating a self-signed certificate 
> automatically?
> > > 
> > > If so, I have concerns if that is the right thing to do. I think 
> > > certificates should always be generated by an operator.
> > > 
> > > Or does it mean that there must be a management interface 
> > to generate 
> > > self-signed certificates? If so, I assume that this management 
> > > interface may reside outside of the core syslogd. In 
> > rsyslog, I will 
> > > provide some tools to generate self-signed certificates and 
> > obtain the 
> > > fingerprints (you may want to look at the rough prototypes 
> > if I made 
> > > myself not clear enough:
> > http://git.adiscon.com/?p=rsyslog.git;a=tree;f=tools/gnutls;h=
> > 1abb246805
> > 546ebd2f1f008a3cf256d5c76b7cbc;hb=HEAD ).
> > > 
> [Joe] I don't know that we need to restrict this to a particular
> implementation.  I think it would be good to provide a management
> interface to do the generation.  It seems that it would be an 
> acceptable
> implementation to auto-generate it as well. 

[Rainer] As long as the syslogd is not required to auto-generate certs,
I am happy enough ;)

However, I wonder why it would be useful to auto-generate certs.
Probably I am overlooking somehting obvious. But: isn't cert
auto-generation equal to no authentication? After all, if a
*self-signed* cert is generated by the remote peer AND we accept it,
doesn't that essentially mean we accept any peer because the peer can
put whatever it likes into the cert? I do not see why this is any better
than having no cert at all...

Rainer
_______________________________________________
Syslog mailing list
Syslog@ietf.org
https://www.ietf.org/mailman/listinfo/syslog

v2.23.0 | Report a Bug | By Email